CVE-2026-0897 – This vulnerability allows remote attackers to c... (How to Fix)

📋 TL;DR

This vulnerability allows remote attackers to cause Denial of Service (DoS) by sending a specially crafted .keras archive with an extremely large dataset shape declaration. When Keras attempts to load this malicious weight file, it allocates excessive memory without proper limits, crashing the Python interpreter. All users of Google Keras 3.0.0 through 3.13.0 are affected.

💻 Affected Systems

Products:

Google Keras

Versions: 3.0.0 through 3.13.0

Operating Systems: All platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the HDF5 weight loading component when processing .keras archives containing model.weights.h5 files.

📦 What is this software?

Keras by Keras

View all CVEs affecting Keras →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption with Python interpreter crashes, leading to application downtime and potential data loss in active sessions.

🟠

Likely Case

Service interruption and application crashes when processing malicious model files, requiring manual restart of affected services.

🟢

If Mitigated

Controlled service degradation with proper input validation and memory limits in place.

🌐 Internet-Facing: HIGH - Remote attackers can exploit this without authentication by uploading malicious files to exposed endpoints.

🏢 Internal Only: MEDIUM - Internal users or compromised internal systems could still trigger the vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires creating a malicious .keras archive with manipulated HDF5 dataset shape declarations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Keras 3.14.0 and later

Vendor Advisory: https://github.com/keras-team/keras/pull/21880

Restart Required: Yes

Instructions:

1. Upgrade Keras to version 3.14.0 or later using pip: pip install keras>=3.14.0
2. Restart all Python applications and services using Keras
3. Verify the fix by checking the version: import keras; print(keras.__version__)

🔧 Temporary Workarounds

Input validation for .keras files

all

Implement server-side validation to reject .keras files with suspiciously large dataset shape declarations before processing.

Memory limit enforcement

linux

Use OS-level memory limits (ulimit on Linux, Job Objects on Windows) to prevent Python interpreter crashes from exhausting system memory.

ulimit -v 4000000  # Limit virtual memory to 4GB

🧯 If You Can't Patch

Implement strict file upload validation to reject .keras files from untrusted sources
Deploy memory monitoring and alerting to detect abnormal memory consumption patterns

🔍 How to Verify

Check if Vulnerable:

Check Keras version: import keras; print(keras.__version__). If version is between 3.0.0 and 3.13.0 inclusive, system is vulnerable.

Check Version:

python -c "import keras; print(keras.__version__)"

Verify Fix Applied:

After upgrading, verify version is 3.14.0 or later and test loading known valid .keras files to ensure functionality.

📡 Detection & Monitoring

Log Indicators:

Python interpreter crashes with memory allocation errors
HDF5 library errors related to shape validation
Abnormal memory consumption spikes during file processing

Network Indicators:

Large .keras file uploads to ML model endpoints
Multiple failed model loading attempts

SIEM Query:

source="application.log" AND ("MemoryError" OR "h5py" OR "HDF5" OR "keras" AND "crash")

📊 Metadata

CVE ID: CVE-2026-0897

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.09% exploit probability (24.7th percentile)

Published: January 15, 2026

Last Updated: January 23, 2026

🔗 References

https://github.com/keras-team/keras/pull/21880 Issue Tracking,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0897, you might also want to check these: